As part of the DigiCert acquisition of Symantec’s Website Security and related PKI Solutions business, we will be changing the Certificate Authority that signs new digital certificates. This will affect all certificates used on the Symantec infrastructure in the normal annual renewal cycle going forward.
What does this mean?
Any new digital certificates installed by Symantec on our Email Security.cloud mail tower infrastructure after November 28th, 2017; would be signed by DigiCert Root CA instead of the previous Symantec VeriSign Root CA. However, the first planned renewals will start occurring in February 2018 and completed by the end of September 2018.
What is the impact?
In most cases, this change would not cause an issue. However, some customers that may have configured their mail server to only trust a specific root CA such as "VeriSign Class 3 Public Primary Certification Authority - G5". These customers could face TLS email delivery failures when Symantec's Email Security.cloud mail towers have been updated to use the new certificate that is signed by DigiCert Global Root CA.
Below is a table showing the current certificate chain along with the new chain going forward.
|Root||Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5||Issuer: CN=DigiCert Global Root CA|
|Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5||Subject: CN=DigiCert Global Root CA|
|Intermediate||Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5||Issuer: CN=DigiCert Global Root CA|
|Subject: CN=Symantec Class 3 Secure Server CA - G4||Subject: CN=DigiCert SHA2 Secure Server CA|
Note that Symantec Email Security.cloud infrastructure will continue to use and trust both Root CA from VeriSign and DigiCert.
We suggest installing the DigiCert root CA and Intermediate CA on your mail server's Trusted Root CA store. Refer to Managed PKI for SSL/TLS - installation instructions. If you are unable to install these certificates on your mail server, contact your mail server vendor.
To verify these certificates, refer to DigiCert Trusted Root Authority Certificate.